Detect debuggers, virtual machines, sandboxed environments, CPU emulators
|
|
- Detect debuggers attached to the application process
|
- Check for an abnormal low number of physical CPU cores (exit if less than 3)
- Sandboxie (DLL libraries)
- Joe Sandbox (processes)
|
|
|
- VMware (procesess, files, drivers, WMI, BIOS, GFX)
- Oracle Virtual Box (processes, files, drivers, BIOS, GFX)
- Parallels Virtual Machine (processes, files)
- KVM (drivers)
|
- WINE (API inconsistencies, DLL libraries, special API functions)
- Bochs (WMI BIOS)
- QEMU (processes, WMI BIOS)
- XEN (processes)
|
The added code is executed at the beginning of the script. In case of positive detection, the process will be silently terminated, without any error message.
|
Select types of helper random numbers to be generated:
|
|
Global $xyz = 1
|
Global $xyz = Asc("[")
|
|
|
Global $xyz[3] = [369, 214, 592]
|
Global $xyz[2][4] = [ [34, 14, 592, 3], [349, 2] ]
|
|
|
Func xyz()
Return 1238948
EndFunc
|
#OnAutoItStartRegister "dhfe_nMCTQQ_qeMdNOv_hTu"
...
Func dhfe_nMCTQQ_qeMdNOv_hTu()
Global Const $xyz = 88643041
EndFunc
|
|
|
Global $var_2659 = Asc(StringMid("Random(188, 1504914845 + SRandom(), 1626512065)", 18, 1))
If 2010239059 = 2010239059 Then
|
Random numbers are used all over the obfuscated code, the more types - the better. If you don't select anything, all of the random types will be generated.
|
ConsoleWrite("1. One" & @CRLF)
ConsoleWrite("2. Two" & @CRLF)
ConsoleWrite("3. Three" & @CRLF)
|
$rnd = 239892
While True
If 40402 = $rnd Then
$rnd = 1993
ConsoleWrite("2. Two" & @CRLF)
ElseIf $rnd = 239892 Then
$rnd = 40402
ConsoleWrite("1. One" & @CRLF)
ElseIf $rnd = 1993 Then
ConsoleWrite("3. Three" & @CRLF)
$rnd = 203030211
ElseIf $rnd = 203030211 Then
ExitLoop
EndIf
WEnd
|
Read about code execution flow. Loop control statements ExitLoop and ContinueLoop are automatically corrected by the new loop levels.
|
Local $variable = 1
Global $var = 12345
Dim $iValue = 0xABBA
|
Local $nGuiyagSznwgwh = 1
Global $SMGPZHGE_GRUHVBRVUR_TRMWCXZV = 12345
Dim $var_12 = 0xABBA
|
All references to the renamed variables are automatically fixed.
|
Func Example($param1, $param2)
Func ProcessSomething()
Func Dummy($aArray)
|
Func VadOeCmEiez($param1, $param2)
Func func_91()
Func AvnsnFunc($aArray)
|
DllCall() and others using function names as a parameter are automatically fixed as long as the parameter is passed as a string (not a variable!).
|
Local $result = Example($param1, $param2)
ProcessSomething()
$out = Dummy($aArray)
ConsoleWrite("Obfuscation for AutoIt")
|
Local $result = $VsoLkc($param1, $param2)
$DOX_MDK_WAVP()
$out = $aRacmLko($aArray)
$aAxieOjxz("Obfuscation for AutoIt")
|
Functions in AutoIt can be assigned to variables; this is a good way to hide the real name of called functions.
|
ConsoleWrite(c())
Func a()
return "Hello!"
EndFunc
Func b()
return a()
EndFunc
Func c()
return b()
EndFunc
|
ConsoleWrite(c())
Func c()
return b()
EndFunc
Func a()
return "Hello!"
EndFunc
Func b()
return a()
EndFunc
|
The order of AutoIt functions in a script is not important.
|
MsgBox($MB_ICONINFORMATION, "Title", "Caption")
|
MsgBox(64, "Title", "Caption")
|
Currently more than 15000 Windows API constants are recognized.
|
Local $a = 1
Local $value = 1234
Local $lucky_seven = 777
Local $var = 0xFFFF
Local $count = 999
Local $item = 0x100
Local $diabolo = 666
Local $num = 9
Local $alignment = 512
|
Local $a = 3928 + $EiejcJks[3]
Local $value = (347445640 - 347444406)
Local $lucky_seven = Int(Sqrt(603729))
Local $var = BitXOR(312515813, IbmmftJgowlxa())
Local $count = BitOR(8966, 1033)
Local $item = BitNOT(-257)
Local $diabolo = BitRotate(10911744, 18, "D")
Local $num = 3 * 3
Local $alignment = 2 ^ 9
|
Arithmetic expressions include the + - * ^ operators and Sqrt() function, boolean expressions include BitXOR, BitOR, BitNOT, and BitRotate functions.
|
ConsoleWrite("Hello World!")
ConsoleWrite('Hello Nasty')
ConsoleWrite("Sample ""quotation"" within")
ConsoleWrite('Single ''quotation'' !')
|
ConsoleWrite("H" & "ell" & "o " & "W" & "orld" & "!")
ConsoleWrite('Hel' & 'lo Nast' & 'y')
ConsoleWrite("Samp" & "le ""quotation" & """ with" & "in")
ConsoleWrite('Single ' & '''quotati' & 'on''' & ' ' & '!')
|
Quoted strings within strings are automatically detected and handled properly.
|
ConsoleWrite("Hello World!")
ConsoleWrite('Hello Bart')
ConsoleWrite('AutoIt Decompilation')
|
ConsoleWrite(StringReverse("!dlroW olleH"))
ConsoleWrite(StringTrimLeft('KKuqTHello Bart', 5))
ConsoleWrite(StringTrimRight('AutoIt DecompilationX', 1))
|
String modifications use the built-in StringReverse(), StringTrimRight() and StringTrimLeft() functions.
|
ConsoleWrite("How to protect AutoIt script?")
|
ConsoleWrite(DlnWck(87, $KQWGAWTNE, $vOedex))
...
Func DlnWck($var_1238, $g_tagNye, $g_v_nCrR)
Local $6H_T[29] = [ 0x728F, 0x6DAF, 0x6CAF, 0x778F, _
0x6D0F, 0x6DAF, 0x778F, 0x6D8F, _
0x6D4F, 0x6DAF, 0x6D0F, 0x6EEF, _
0x6F2F, 0x6D0F, 0x778F, 0x736F, _
0x6CEF, 0x6D0F, 0x6DAF, 0x726F, _
0x6D0F, 0x778F, 0x6D2F, 0x6F2F, _
0x6D4F, 0x6E6F, 0x6D8F, 0x6D0F, _
0x73AF ]
For $NYwQb = 0 To 28
$Cwium = $6H_T[$NYwQb]
$Cwium -= 0x7B90
$Cwium = BitRotate($Cwium, 11, "W")
$Cwium = BitNOT($Cwium)
$6H_T[$NYwQb] = ChrW(BitAND($Cwium, 0xFFFF))
Next
Return _ArrayToString($6H_T, "")
EndFunc
|
The polymorphic string encryption engine is taken from our StringEncrypt solution.
|
Local $a = 1
Local $var = 123
|
Local $a = ($fBnbFcgx[5] >= $xCsccjis[12] ? 1 : $g_GIqyy)
Local $var = (SqXoFunc() <> $Abv ? $var_2029[3] : 123)
|
Read more about the ternary operator in AutoIt.
|